Hey, we're a little early. We'll get started. This is legal aspects of active defense. I am always
pleased when techies come and want to see how law intersects with technology. And years ago,
I had mentioned that to Marcus Sachs, who's a SANS instructor in Verizon and all that stuff.
And I said, Marcus, I'm always amazed that the room will fill up and people will actually show
up. And he said, yeah, the other rooms are all full and they don't have any else place to go.
So if you're here because you're interested in how they intersect, great. You're wonderful.
This is great. And if you're here because all the other rooms have filled up and you couldn't go
anyplace else, sorry about that. We'll try to get bigger rooms next time. So legal aspects of
computer network defense, the agenda, the things we're going to talk about here as we go through
to figure out what are those things that you need to do to be able to do computer network
active defense. Disclaimer aspect on things, I am here in a personal capacity.
I represent no employer, entity, government organization, anything. So I hope to be
informative to you and give you some information. And yet still maybe a little bit entertaining.
I have spoken at numerous Black Hats and DEF CONs before. And typically, I have the only
million-dollar giveaway. And what that is, is for any question or the best question, best comment,
or even best heckle, I usually will give away a $5, a $10, or a $25 chip under the million-dollar
giveaway. Now, you have to take the chip and go out to the casino and parlay that into a million
dollars on that. Now, normally that's what I do. I'm going to apologize. That's been canceled due
to sequestration. So if you're pissed at your government for things, let me explain something.
Talk to my wife about having 20% pay taken away. That's when you get pissed when you have to deal
with that on the home front. There is a current topic out there that is,
quite pressing. It is ripe for comedy. And they've been having fun with it. It involves the
United States government. And while the United States government was founded on happiness,
I think if you look at the Declaration of Independence in there, you will see that
basically it is founded on happiness. We are the only happy country. You look at any of the other
documents out there, the Magna Carta or anything, they don't mention happiness.
That said, I have spoken to sources familiar with the matter. And they tell me that the government
has no sense of humor on this topic. And so, therefore, we will not be making any jokes
about that whatsoever. As we go along, I have an active defense scenario to talk about.
A spoiler alert here. If you don't want to know how it comes out at the end, please turn
away from the screens and look the other way. Because the way it ends, he's the bad guy.
And if you're from my generation, actually, he's the bad guy.
And I know we're not supposed to do any sponsorships or plugs, but because I'm a Chrysler kid from
Detroit, Michigan, and I can also get fine Corinthian leather from him on that.
This is the first year that I'm going to hand out a Robert Clark cybersecurity award.
And I want...
What, what?
Drink!
Drink.
Oh, okay, wait.
Drink.
There was a different one last year at Black Hat.
They said any time somebody says cyber, you're supposed to shout out something else.
I can't stand the word cyber.
I absolutely hate it.
I'm a computer network, you know, guy from the aspects of a decade.
But if you want to have money thrown at anything, you've got to have the word cyber in it.
If you wanted porta-potties for DOD, you would say, these are cyber porta-potties, and they
would give you thousands of dollars for these things.
And, of course, you would say, okay, well, wait a second.
What makes it a cyber porta-potty?
Well, there's a keypad and...
Don't even go there.
So I would like to give the first Robert Clark cybersecurity award to someone who has done
something to advance cybersecurity.
So who should this possibly go to?
Because you've got folks like Leo Laporte out there doing stuff, Tom Merritt's doing
good work, I like Steve Gibson's aspect, and I even like Patrick Gray and the Risky
Business.
All these folks are out there.
And while I would like to kiss up to them to get on to their shows, I really actually
want to kiss up to Stephen.
Stephen Colbert.
Now, if you're wondering why, well, you know, he knows the technology.
Now, granted, a couple years ago, it was very archaic.
Of course, this might be the securest way to communicate these days.
I can't see below the table to see if there's anybody in the middle, but you never know.
But he knows the technology.
I mean, he gets customized technology that he gets to use.
One of the first users of a tablet into that, you know, virtualization aspects, even invented
his own Google.
So from that aspect, you know, what more could you want from somebody?
He knows the technology so much, he even advised Anthony Weider, a.k.a.
Carlos Danger, that he should be using Snapchat.
So, you know, the guy's there.
He knows the web.
He knows iTunes.
He's got Google down, Bing, Twitter, Bitcoin he even talks about, and even PalTalk.
And if someone could come and tell me what PalTalk is afterwards, I'd appreciate that.
He knows the people.
He's, you know, from Java.
He's got jobs to Schmidt and Gates, and even knows Anonymous.
As a matter of fact, he probably knows Anonymous a little too well and too closely.
If that's not enough for this award, he's got a virtual presence.
He's on the International Space Station, and he's even in animation.
So, you know, in my book, he deserves the first Robert Clark cybersecurity award, and
if this isn't enough to get me on his show, I really don't know what it's going to take.
Because it's not going to be my intellect from that aspect of it.
So.
So.
Now, getting on to things.
Disclaimer.
Again.
I am here in a personal capacity.
All the opinions are my own.
Cyber education is a big piece.
I am actually leaving the United States Army Cyber Command, which is not the same agency
as the United States Cyber Command.
I work for General Hernandez.
This is my last day actually working for him, and tomorrow I start at the Naval Academy
out in Annapolis on their faculty to educate.
So.
So I'm a professor of law, this is sweet, to teach midshipmen on the nontechnical content
for cyber operations, the law and policy aspects on life.
And so they have two core classes that every midshipman must take, and we're developing
a cyber operations major.
West Point also has an Army Cyber Center, so I will mention that with my Army heritage.
And then the other service has something they're doing, too.
But I have no affiliation with them, so.
If I say something wrong, please by all means say you heard it from an officer at Army Cyber
Command.
And if I say something right, please say that this brilliant professor from the Naval
Academy said.
I would appreciate that.
When I go to a conference, I'm really hoping that I'm only taking away one or two golden
nuggets of information, because if I'm not, then I'm really stupid and I really should
be studying a lot more.
And so the one golden nugget.
I want to give.
So right up front, if you're interested in this area, the American Bar Association, their
cybersecurity task force, is going to be coming out with a report that's supposed to be coming
out soon on active defense.
So I would say tuck this away if this is an area you're really interested in, and go to
their site down the road here and see if they have that coming out.
Because they're going to talk about some beaconing and some other aspects of it, so it might
be something to tuck away in the back pocket as we're moving about talking about doing
active defense.
So law and computer network operations.
If you ask the same question to two attorneys, you will get a lot of ‑‑ you'll get four
answers and there's only two attorneys there.
So the thing is, you know, I'm not your lawyer, and please, ask questions at any time, stand
up, shout.
We'll be glad to address them.
The interaction is really what makes this thing go.
But I would like to talk ‑‑ if anyone was in Mark Weatherford's talk on the growing
irrelevancy of U.S. government information sharing.
He made a point about ‑‑.
Attorneys, he didn't say which ones, and he said that they were very risk adverse and
didn't understand the technology.
We'll get into Clark's law about dealing with your lawyers and technology a little bit here.
The aspect about being risk adverse and what a lawyer's role is, and this is kind of for
you, I provide advice.
I give counsel.
If it's something illegal, I'll say this breaks the law if it violates a policy.
But I provide advice.
The responsibility to act on that belongs to my counsel.
Not my client or the commander or the government.
And it's their job to say, got it, okay.
But you don't let your general counsel run your company from that aspect.
That's kind of an interesting take that I had a problem with, with Mark Weatherford's
comments.
And it's not ‑‑ I understand the scenario, yes, senior leadership is not going to do
anything unless their general counsel says, yes, you can do that.
That's backwards.
The senior leadership is supposed to listen to their general counsel, it's their attorney,
but they make the decisions, and if they're not going to make the decisions, then they're
the ones who are risk adverse.
And so that's the aspect, and that's kind of the role.
Because when the day is over, I'm going to go home and have a steak dinner.
You guys might be led away with handcuffs on, but I'm going to go home and have a steak
dinner on that one.
Before we get started, there are a couple of cases I always like to point out.
United States v. Procter was the courts recognizing that computer security professionals are a
special‑skilled group.
Procter had the right to remain silent, but he didn't have the ability, and gave a nice
detailed confession to which the judge elevated his sentence and said, you've got special
skills, and the court is going to recognize that, so that's probably not a great thing
on the computer security side.
There's an interesting Wi‑Fi case that came out.
Now it's a civil case, and it's one of them patent trolling cases.
In re innovatio from this aspect.
They're suing coffee houses and people using Wi‑Fi, and it's that wonderful legitimate
suit where basically you send the coffee house a notice saying for $7,000 I'll go away
or we're going to sue you, and they did it to 7,100 hotels, coffee shops on that.
And they had a motion to enter how they were going about sniffing and grabbing the communications
going across the Wi‑Fi.
And how it worked was they were using, you know, grabbing data packets, going over the
unencrypted Wi‑Fi, using things that are readily accessible to the general public,
and that the sniffing protocol they were using, again, was available to the general public,
and the court was basically saying it falls under the wiretap exception, and so there
is no problem with them doing this.
You can have, with the proper foundation, this evidence can come in.
So what they were doing is they were using a Riverbed air PCAP packet capture adapter
for 700 bucks, Wireshark.
So with the laptop software.
And the packet capture adapter.
They could get any, you know, communications as long as they were in range.
All these things are provided by commercial providers.
And so it didn't violate the wiretap statute.
Now this is kind of interesting, meaning ‑‑ so back in the day, and the way technology
being generally available to people, it came back out of a case called Kila where DEA was
looking into a house using thermal imaging.
And the court said, no, no, no, that's not technology that's readily available to the
public.
They don't have their own helicopters with their own thermal imaging radar.
So we're not going to let you do that.
God, you know, what you folks are doing now in the technology that's available to the
general public, it is a very interesting area where we're going into in terms of what
you can sit there and sniff and grab that courts are holding, not a violation of electronic
communication privacy act.
And of course you said the public's lack of awareness of this was irrelevant.
So it's an interesting civil case that's out there.
It's not a criminal case out there.
But it was kind of interesting.
The Constitution, pretty damn good document to run a country of 350 million people or
so.
Written in 1787, and then what happened next for computers?
Well, DOJ stood up the computer crime unit in 1991.
There's a little gap there on that.
And a little bit before that they did the Computer Fraud Act on that.
So how does this law stuff apply to we the geeks from that aspect?
Now on the Constitution there is the Article II powers out of the President's powers.
So it's kind of an interesting aspect.
There is a little known footnote.
He envisioned people like Jobs inventing communication devices that were incredible.
So according to the Article II powers, the President can conduct computer network operations.
He goes, I don't know what a computer is, but I'm sure it's going to be important in
a couple of years.
And please keep an eye on the IRS for us.
So legal aspects of computer network defense.
We had a pre-conversation up front here.
We were talking about certain things.
And an important lesson learned.
Which is very relevant to the area we're in right now.
And it's very true.
Bad legal advice put OJ in jail.
It was an interesting aspect where, again, he wanted to get his property back.
And his lawyer told him, hey, if you don't breach the peace, don't use force, you can
go get your property.
And of course the facts of the cases were that he went there with a couple of buddies
that had guns, breaching the peace, and he's in jail.
And so basically he kind of needs that number right there.
If you are out there, I've seen some of the attendees doing things.
This is a valid number.
You may want to jot this down for the weekend on that.
So again, I am not your lawyer.
When I try to come up with a topic for DEF CON, I want to make sure that it is relevant
to what's going on.
And this IP commission report just came out recently.
And it was interesting from the aspect of, again, DOJ had a chance to put in there that
they say, hey, hacking back is illegal.
So don't do it.
The report was written by Dennis Blair, who used to work ‑‑ was the first DNI director.
And Hunter was the first DNI director.
He used to be the ambassador to China.
And the report really said that, hey, if I can retrieve my digital property without damaging
that person's computers, I should be able to do that.
So we're talking about self‑defense.
There are 21 state constitutions that say you have a constitutional right to defend
your property on that.
It is recognized in common law and goes back a long time that you have the right to defend
yourself and your property from that aspect.
And it kind of flows into this thing called trespass to chattel.
Now, the Intel versus Hamadi case was that blasting of e‑mails into Intel by Hamadi.
And one of the things that the court said was we favor in this area trespass prevention
over post‑trespass recovery.
That's kind of the theme of what we're going to be talking about here.
We're going to be talking about those things you do ahead of time so you don't have to
do post‑trespass recovery.
The active defense scenario obviously is going to be a post‑trespass recovery scenario
as we go down there.
Self‑defense, you've got to be in a place you have the right to be, a whole bunch of
other factors that go with it, but you've really got to be in that place that you have
a right to be.
It is not unlimited for property.
You can't, you know, usually use deadly force to defend your property under certain circumstances.
That actually will come back into play.
So you've got to be in a place you have the right to be with all the factors that go in
there.
We were also talking earlier about if we were going to do this, you know, who are the experts
we listen to.
Stuart Baker, usually formerly of Step City.
He's with them now, is quite the advocate that you should be able to hack back.
I was at the ASEA conference in Maryland and he offered to represent anybody who did it
and was prosecuted by DOJ for free.
Now, you can call him up and say, hey, I heard from this guy, and he might hang up
on you, but that's what I heard.
Oren Carr, who is a professor at George Washington University and writes the book on computer
crime, his point blank said, I don't think there's a digital self‑help as the way things
stand right now.
So I'm sorry to ruin that for you for where we're going to go with our scenario here with
that spoiler alert.
But if it's me and I'm going to be prosecuted, I'm going to get Jennifer Granik or Oren Carr
to represent me.
And both of them have said there's no digital self‑help, you know, self‑defense here.
Jennifer was on Patrick Gray's Risky Business Podcast 274 talking about this extensively.
And again, she said, you know, there's no digital self‑defense.
So what you've got to do is we're talking about building that case of reasonableness.
What are those things that you're going to do that are necessary and reasonable?
So when we're building that case of reasonableness, you've got to think of what are those things
you're doing to secure and defend, and, you know, it's that aspect of technology, your
open‑source and situational awareness and intelligence, your policies, your training,
information control, active defense things you may need to do, which might be deception,
recovery operations, you know, the stopping the pain aspects on life.
And what is the one thing that was missing from all those slides that's extremely important?
Previous and ongoing coordination with law enforcement agencies.
And why is this important?
Because if you're planning on doing this, in reality, why are you preparing for this?
Because you're trying to convince DOJ not to prosecute you or any other type of law
enforcement agency or prosecutorial office to prosecute you.
What are the things I did ahead of time that were reasonable that I had to take the next
step?
You know, or worst‑case scenario, you're going to actually have to try to convince
a judge or a jury that you have a self‑defense claim.
So the reality and the practicality of this is simply DOJ is always and has always been
taking a hard look at this and a hard stance on this.
Until the law is amended, they feel that this is a crime.
Now, don't blame DOJ, okay?
You don't beat the monkey if the organ grinder is not present, okay?
So go see Congress, because Congress is the one that's responsible to amend the law for
that aspect of it.
So the requirements for self‑defense.
A self‑defense or a necessity defense require that there are no other lawful means available,
meaning you've gone to and seen LEA.
All your remedies have been exhausted, meaning no law enforcement, you know, civil lawsuits
have been filed on that.
And I go back to this prosecuting computer crimes manual that DOJ has had out for a long
time.
Again, you know, doing so may be illegal regardless of your motive.
The other aspect for you all that I've had come across.
I've had conversations with some techies on.
It's the aspect of resource intensity.
I say, okay, so if you've got this honeypot with a bunch of fake documents in there and
they say, you know, the big problem with this is my clients can't manage their real stuff
and now you want them to have a bunch of fake stuff on there, they don't have enough time
managing the real stuff.
So this is very resource intensive from my perspective.
So I don't think it's a mom‑and‑pop shop thing that they're going to be doing.
I did government contract litigation and we had a lot of mom‑and‑pop, third‑party,
suppliers.
I can't see they're the ones doing this.
It's going to be somebody that's got a lot of resources to dive into this.
So building that case of reasonableness, the things I think you need to do so you can actually
get to that active defense scenario.
There's the technology you've got to have in place.
And you guys, I'm talking to the experts that know all of that.
So you're talking about your different ‑‑ you know, your firewalls, your intrusion systems,
real‑time network awareness, SSL proxy things, your logging, your monitoring, you know, on
that.
And you've got some honeypots flowing from that aspect.
So you're doing all this.
And, of course, legally you can do this because to do this you've got to comply with the law,
which would be the wiretap statute.
So you're either getting consent of your users through your logins and your banners from
that aspect on life or you're doing it in the service provider's aspect in terms of
that exception to the wiretap statute that says, hey, it's my property, I can defend
it.
It's necessary to the defense of the property.
And these are the cases that came out of the blue box cases where they had to find out,
you know, taking the Captain Crunch ‑‑ the whistle out of the Captain Crunch box.
And it's back in the day where they recorded the beginning of the conversations, half
of it and all of it, and when the cases got to the court, the judge said, okay, you recorded
the front part of it.
That was tailored.
And you identified what the phone number was.
Those are going to go forward.
And when they recorded more of the conversation, like half of it, where the prosecutor could
prove or submit why they needed to record half of it, those cases went forward.
And if they couldn't, they were thrown out.
And pretty much where they recorded the whole thing, the judge said, you didn't tailor this
at all.
We're throwing these out.
So now how do you tailor computer network defense?
How do you tailor your intrusion detection systems?
It's not like I can record the first part of the three‑way handshake.
And kind of in my opinion, it's like that means I'm going to run my snort sensors out
there and I'm going to grab everything, you know, see how much my storage space is
going to have, whether this sensor is overwritten in four hours or it stays on there for 30
days.
And when I get my alerts, I can go back and grab the information and take a look at it
to do my computer security.
So from that aspect, that seems reasonable.
It's tailored.
And there really hasn't been an argument or debate on that aspect of it, you know, from
the technology speaking aspect.
When I talk to techies, I always ask one thing.
I'm like, why aren't the crown jewels air gapped off and why aren't they encrypted and
dead at rest?
Again, being the lawyer and the stupid one in the room, I'm thinking, okay, it's got
to be expensive, it's got to take time, it's got to slow things down, and, you know, I've
actually had techies come back and go, no, not so much.
So if I'm wrong at that, please tell me on that aspect of it, but I'm always curious
at why.
Why the crown jewels of a company aren't separated off, air gapped, and there aren't things in
place to protect them.
Again, steps that are reasonable to defend the information that you want to do.
I did mention beacons before.
I will note that DOJ has a ‑‑ again, it's one of those aspects of the absurdities
of law, the way it's written.
If you're not an electronic service provider, you can't do beacons.
It's a strange thing on that.
Again, that's something that I'm hoping that the ABA task force report will talk about.
Pen testing and red teaming.
One of the things that you need to kind of be concerned about actually is the Landom
Act.
It is a national system for trademark registration to protect your trademarks from either consumer
confusion or dilution.
And that means if you're using that mark and it reduces people's perception of it, you
could have a problem.
Why would this come into this field?
So you have ‑‑ you go to your library.
You go, hey, we want to do some spear phishing.
Okay.
And Beyonce's concert is coming up, so we want to send that out to our employees that
for $45, if you click here, you can get $45 tickets front row to Beyonce.
Is that a problem?
Lawyer doesn't know much about technology, is busy with other things, go ahead.
So they go ahead and they set that out.
Next thing you know, they forward it to T‑Friends and they forward it to T‑Friends and they
forward it to T‑Friends and it goes outside your network and now everyone is sitting there
going, wow.
We can get Beyonce tickets for $45 and Beyonce's attorney comes knocking at your door going,
who the hell are you and what the hell are you doing?
So that's the aspect.
If you don't plan for these things and make them so they can't get released into the wild,
you could have a problem here.
Now, I am not a Land of Act attorney.
And before you blast me to the evaluation boards and everything, you need to understand
one thing.
You're going to go hire the law firm at Dewey, Cheatham and Howe.
And they're going to give you your legal advice for what you need to do.
And there are a whole bunch of people in this law firm.
And one of the branches you're going to have to go see is the Land of Act branch to talk
to them about this and how to go about doing that.
So that's one situation in your law firm that you're going to have to deal with.
Intelligence and situational awareness, you've got to know what's going on out there.
So you've got your open‑source intelligence where you're going to have your bulletins
from the U.S. cert.
You're going to hire a commercial company to give you added intelligence on that because
we know the government doesn't get anything first.
And so you're going to get that private information there.
You're going to do active business intelligence, which you're going to do that competitive
intelligence and you've got to be careful not to step on the side of the economic espionage.
Economic espionage.
So that's set up to protect trade secrets and information, again, enacted in the time
of this high‑technology information age.
So a couple things.
It's getting that information without authority, you kind of know when you've got it without
authority and the trade secrets.
Now.
Good old Doug and Kristen here kind of wrote an article dealing with looking at these aspects
of economic espionage.
And they say, hey, it's a very broad topic and you've got to kind of be aware of it.
You can get into trouble when you're doing these aspects of getting open‑source intelligence.
Some lawful means of going out and grabbing information can in fact become misappropriation.
And so you've got to be careful because that combination of all that public information
could get you into trouble.
Again, this is kind of Doug and Kristen's take on this.
Now, there is a case out there that kind of said, look, open‑source and possession
of open‑source information or readily ascertainable information is clearly not espionage.
So you've got some case law on your side there.
But Bill Bradford kind of, again, went down this path and was talking about the different
aspects of economic espionage when he was looking at firms routinely getting this stuff
and that practice of getting open‑source publicly available information for that.
So what are you talking about?
The desired information you're looking at, you know, research plans, R&D, things of that
nature.
The publicly available information.
You're looking at common ways to do this, data mining, I like the psychological modeling
of rival executives.
I think that's kind of neat.
It's like that.
My wife wants me to have that done, too.
So there's that.
Areas that kind of raise some questions that he looked at when you're talking about ethical
questions, which is interesting because he's like appropriating documents that are misplaced
by rivals, which gets into, okay, if I've got an iPhone left behind.
If you go to your lawyer and say, hey, I found this, oh, abandoned property, hey, it's abandoned,
there's no rights to that property anymore, let's rip it apart, eh, okay, there might
be that theory.
He talks about overhearing rivals, executives.
I'm of the fan, if you come talk to me on this one, it's going to be, hey, that's misplaced
trust.
That's the third party doctrine where if you're going to say something, broadcasting it out.
Again, these are areas that could raise ethical questions, not quite blank, illegal.
Hiring employees away from rivals.
You've got a Computer Fraud and Abuse Act thing that really comes into play on that one you've
got to be careful on.
And I love the dumpster diving aspect on life because actually there's some court cases
that once you put your trash out by the curb, anybody can go diving into it as much as
they want.
Those areas that are clearly illegal, yeah, kind of stuff that you all are really good
at on that.
And so you've got to be careful on those things.
Again, I am not an economic espionage lawyer.
So you're going to go to your law firm, a Dewey, Cheatham & Howe.
You're going to go up to the FBI.
You're going to go up to the Economic Espionage Branch and say here's what I'm planning on
doing on this.
What do you think?
And you've got to take them through step by step those things that you're going to do.
Ironically enough, there was a case that came out just a while ago, the Olenovkov case.
And a lot of times when you read facts or opinions on a case, they kind of tell you
where they're going as you go through them.
So Sergei was a computer programmer for Goldman Sachs and he was responsible for one of their
high end important aspects.
Okay.
And it did market development.
He was ‑‑ it was proprietary information.
And he was one of 25 programmers and the highest paid at $400,000.
And this is where the facts get found and he's going to be hired at a competitor for
a million bucks.
So we can kind of see where things are going, especially when the court says on his last
day of employment.
And then it gets better.
Just before his going away party, he decided to give himself a little gift, which was 500,000 lines of code.
And he sent that off to Germany and then downloaded it later from Germany and, of course, he deleted everything that he did.
And, of course, he's surprised when he has a hoof farted look when they come and arrest him, oh, you're kidding.
And he ends up getting convicted of economic espionage for stealing the source code.
Well, he appeals this and on the ‑‑ at the appellate level, the appellate court
held that this was not a violation of the economic espionage act.
So before you think about going and doing that, it's been modified and amended to take
that into consideration.
So don't go do that.
The next area of reasonableness and things you need to do prior to going and hacking
somebody's computer, your I training, your information assurance policies and training.
And the big aspect on this is having them in place, you know, you've got your banners,
your user agreements, being consistent with them and enforcing them when something goes
wrong.
So especially with the insider threat aspect, if you're going to do a civil suit for computer
fraud and abuse.
We're employees being disciplined for violating these different procedures, so you want to
make sure you're enforcing these policies and you're actually on top of them.
Information control, hey, it's the stuff you all know about.
It's the access list, encryption, digital rights management, again, another step for
reasonableness.
So if I've got to be in front of a judge, I can say, here are all the things I did
before I had to actually go and retrieve my property.
The deception piece is a very interesting aspect.
When you get a bunch of lawyers sitting around.
Just talking this stuff around.
Somebody in Verily will bring something up and go, hey, did anybody ever think about
the SEC?
And you're like, what the hell does the SEC have to do with, you know, a deception plan
for this aspect?
But companies have responsibilities to actually do reporting.
And thanks to good old Reed Hastings and Netflix, you know, the SEC said we can come
out and we can investigate anything we want that we think is a possible violation of the
SEC laws.
Now, I'm not an SEC attorney and I don't want to be an SEC attorney.
So you're going to go over to Dewey, Cheatham & Howe and go to the SEC branch to start
getting their advice.
Now, the disclosure piece on this becomes a very interesting aspect when you're in this
area.
So you want to do a deception plan.
So you're going to have things out there internal to your network that's not going
to be out there that are wrong and erroneous, that are deception.
So it's no intent.
You're not going to make this public.
Then they're stolen.
And they're leaked to the media.
All right?
And is this a disclosure that you've made?
I know.
They're stolen.
They're leaked to the media.
Is this an SEC violation or not?
I really don't know.
Tell me how that works out when you run that past your SEC attorneys.
Because when you're talking about deception plan or deception examples, what are you going
to be putting out there?
Requests for proposals.
Now, those could be your requests for proposals that you're putting out to your suppliers
or they could be requests for proposals that you've received as you're doing your bid preparations.
So you're putting ‑‑ you know, you're putting out your bid preparations.
You know, false information out there, on there to be grabbed, you know, by your competitors
so they don't know what you're doing.
Blueprints and designs.
All right?
Minor defects.
We went back and we said, you know, self‑defense property, you can't, you know, harm somebody
when you're going to defend your property.
So a minor defect or a major defect, you know, are you going to cause harm?
If it's a product, you know, that has engineering aspects of it, if it's computer code and somebody
looks at it and downloads it and it melts their servers, are you liable?
If it's a car.
And the brakes don't work.
Are you liable?
I mean, so these are all things that you need to talk to your folks about when you're planning
on doing this.
Business plans and financial records, again, you sit around ‑‑ I'm not a mergers
and acquisitions guy, but somebody comes up and goes, whoa, wait, mergers and acquisitions.
You've got information about other people's real companies in here, and if that's stolen
and leaked to the media, that could harm them.
What if they come knocking on your door saying this was your document, it's not true, I've
suffered a harm.
I want some money from you.
Now your lawyers are going to say, again, being risk adverse, I don't want to invite
litigation in from this aspect, so you're going to have to be very specific as you go
through this, talking to your attorneys, you know, how you're going to protect this
from happening.
Joke.
Because I need a thinking break.
Okay.
So NSA is going to store a whole bunch ‑‑ yeah, it's controversial.
So all these little aspects of terabytes, petabytes, zettabytes, yottabytes, so I don't
know ‑‑ you know.
I'm wondering, what's a zettabyte?
Well, I dated a zetta at Michigan, so talk to me afterwards about that.
A petabyte, do you realize if you Google the site of PETA, like this is the cleanest image
you can actually put in a conference like this.
So I guess that's a petabyte.
And obviously the yottabyte is easy, you have that yottabyte, you have that yottabyte, and
if that's not enough, they'll have a stream all over.
So I don't have a sponsor.
So active defense.
Okay.
Actually, I did have a sponsor, but I don't want to get in trouble.
Ask me afterwards.
Active defense, recovery operations.
The Kobayashi Maru, you know, I do like the new Star Trek, I like the old one, but I like
the new one, too.
And, you know, there is a certain aspect of a no‑win situation when you're dealing
with this.
So I had colleagues ask, are you going to actually talk about Clark's law that nobody
has ever heard of?
And I'm like, yeah, I am.
Clark's law.
Get your attorneys involved early and often.
Okay.
Explain the technology to them at a third grade level so they can understand it.
Because they're going to have to turn to a judge, jury, or senior leaders and explain
it at a first grade level.
So it is very important ‑‑ now, lawyers are ‑‑ and you're all smart, so you're
going to hire good lawyers that have been very well trained to be analytical, to be
able to ask the right questions on this aspect.
And that's what lawyers should be trained to do, be analytical and ask the right questions.
Okay.
So you're talking to them.
You're walking them through that at that third grade level, and they should be able
to ask the questions and really understand it.
There's another aspect I want to say of Clark's law, because my active defense scenario, I
am not a PowerPoint ranger, so I have some very simplistic graphics to kind of go through
our active defense scenario.
So we've got our intruder.
He's going through that innocent third party over to the victim.
He's going to ex‑fill some information over to an open FTP server, and he's got his other
box, his other hopping point.
And he's going to download the information from there.
So that's kind of our scenario for our active defense scenario aspect on life.
So what can I do?
So, you know, the aspects of logging.
Yeah, we can log until the cows come home.
So you can log that third party coming in.
You're going to kind of look, see, has this third party touched me before?
What have I got for my records?
So log us up.
That's a piece of cake from that aspect.
You know, the FTP server, do your logs see the ex‑filtration of data going out?
I'm getting ahead of myself because I'm going to knock off the agent in circumstances right
now.
Because I always get the argument, but they went to my R&D shop and got all the documents
and took out a terabyte of stuff.
I have got to go after it and get it.
All right, look, you know, all right, fine.
Then your lawyer needs to ask a question.
You saw them do that.
When they ex‑filled the documents, what were the documents?
And most of the time we're finding out that they've encrypted them, so you have no clue
what was taken.
Now, you do have a ‑‑ you know, part of an argument to say, yeah, but I know it
came from my R&D section, as opposed to just HR, which we don't do.
It was probably just nothing but social security numbers and personal information.
Who cares about that?
This is the company over here.
But, you know, so from that aspect, you know, the agent in circumstances and having to go
after it, it's kind of a challenge on that.
But you see on your logs, they went to the FTP server out there, and you get that from
your logs.
Now, can you see the intruder on the FTP server?
It's open FTP server.
Now, this is the part when Marsha Hoffman from EFF was talking at Black Hat, and she said,
the Computer Fraud and Abuse Act is kind of vague when it starts getting into that aspect
of without authority or in excess of your authority.
Yes, the Computer Fraud and Abuse Act is vague.
But I hate to go to the definition that I use for my children.
You know what the right choice is.
Are you in a place that you have a right to be?
I mean, it kind of comes down to that.
If you're in that gray area, you're going to want to make sure you're in a place you
have a right to be.
So that FTP server, when you get in there.
If it's open and you can log on there, go ahead, hop on there, see where your files
are from that aspect.
Now, I'm not aware that logs of somebody else logging into the FTP server is usually something
you can see.
So usually you're going to have to elevate your privileges to see those logs from the
FTP server to get to the intruder.
Now, if that's the case, then you've probably exceeded your authorities in the access that
you had, and that's probably count one of the Computer Fraud and Abuse Act, be that
as it may.
We're going to cruise along here because I want to talk about deleting data.
So can you delete the data on an FTP server?
So if I'm on an open FTP, you can log in, I can log in, you can log in.
Anybody can get on.
I think if we're all in agreement that I'm in a place I have a right to be.
Would that be correct?
Okay.
There are files on there.
They're available.
I can open them up and look at them.
You can open them up and look at them.
I can download them.
I can upload them.
Again, is that kind of the way it's set up?
Okay.
Can I delete files that are uploaded by somebody else on there?
Yes or no?
Is the answer?
If the answer is both, then say both.
But if it's to my world, it's typically no.
This is probably one of the stupidest, silliest things.
My files have been stolen, uploaded there by somebody else.
It's my property that was taken.
I'm in a place I have a right to be.
Can I delete those files?
Logic says, yeah, well, hell, yeah, they're my files, yes.
But if I don't have that authority to delete files on that server, arguably I don't have
that authority.
What am I going to do?
I'll go talk to your attorney and don't tell me.
So from that aspect, it's an argument of whether I can delete that information or not.
Can I go over to the intruder and delete that information that I've seen him take off of
their closed, protected computer?
I got no authority to be on that box from that.
So from that aspect, like I said, if you're going to do this, you go talk to your attorneys
from that part and see how that works.
What if that's an innocent third party over there?
What if you go to your attorneys and say we went to the FTP server, our documents went
out.
They're being stored by that party box.
Can I get the logs from that?
Can I go touch that box?
Now in this innocent third party, they don't even know it's there.
How do you know it's not there?
Because they've got terabytes of data there.
There's a bunch of movies on there.
There's a bunch of stuff on there.
There's no way they know what's on their system.
Let's just go in there, take our stuff off, and away we go.
Well, again, the best way to do that is contact the third party and get consent.
Any time you get ‑‑ talk to any law enforcement.
Consent?
Yeah.
Hey.
Great.
Let's go.
Any time you get consent, that's the way to go for it when you're talking about that.
Can you go back and trace them back?
Now say you've got an innocent third party, they let you have their logs and you get back
over to that intruder there, again, we're still in that same situation where we're stuck.
Have you gone to law enforcement?
Is law enforcement involved?
Can they get there fast enough from that aspect?
If it is a protected box, typically I cannot go there and get that information.
Deleting the data, I want to move to if it's a closed FTP server.
Okay.
If this is a closed FTP server and you see what the log in information is from your logs,
can you go hop on it?
Yes or no?
I hear some no's.
So when we listen to NSA and EFF up here, they talk about Smith versus Maryland.
That's that case where when I give my phone record to the phone company, I've exposed
it to a third party.
I got no expectation of privacy in that.
If I give you my log in information, what's the difference?
Yeah.
Here's the aspect.
You've got the log in information.
It was exposed to you.
I now know it.
Why can't I use it?
So you borrow or you loan to your neighbor your baseball mitt, some property, and you
want to get it back.
You go over to their house and they've got a cipher lock on their door.
They gave you that code because your kid had to take care of their cat on that, so you
have the authority to go in and take care of the cat and use it.
Do you have the authority to go over to your neighbor's house to get your baseball mitt
back?
Do you get back by using that cipher code at that particular time?
No.
Typically you don't.
I mean, you're in your post trespass recovery phase from this aspect of it.
That's the O.J.
Simpson, don't breach the peace, don't do anything.
So that's the aspects of it.
So when you go talk to your lawyers about this aspect, you're going to say, here's
the information I've got.
Anybody can log into it using this information.
Why can't I log into it using this information and go do it?
Again, these are all these gray areas.
This is the gray part on providing the advice.
Then you get to make the decision, and if it's wrong, you're laying away in handcuffs
and I'm having a steak dinner.
I won't have you as a client anymore, but at least I had my steak dinner.
So clearly when we're talking about these areas, they're very fact specific.
And so it's kind of difficult sometimes to get questions on it.
If a fact changes, it changes what you can and cannot do.
So you need to get involved with your attorneys as you're walking through this, and obviously,
doing this requires good computer network exploitation in terms of your attribution
and the logins that you've got there for this.
There's an aspect where I always get to as far as stopping the pain when you're dealing
with a denial of service attack.
The part that I would say you really want to look at for this is DOJ has done the core
flood botnet takedown, and the documents are all publicly available.
And the steps that they go through to be able to do this kind of gives you a blueprint for
how to legally do this, and, of course, they are doing it with the courts involved from
that aspect.
So if you're curious about doing that part of it, the DOJ documents that are publicly
available out there are a good starting point to take a look at that.
As I mentioned before, the IP Commission report talks about a lot of different areas that
you may want to do this, and the American Bar Association is going to be coming out
with their report down the road.
Here's the big thing, and Jeff Moss talks about this down the road, if you're going
to do stuff like this, you need to get a good job.
You need to get a good job.
You need to have a good team of lawyers.
Jeff is actually a fan.
I've been at talks where he's like, we need more lawyers who do this to advance this.
Not that anybody really likes lawyers.
Be that as it may, you're really going to need a good team of lawyers to do this, or
if you're really going to do this, you just need one really good lawyer on that.
So with that said, I will be going to a Q&A session.
I've got three minutes for questions right now from what I understand.
So if there's any questions, I will be hanging out on the phone.
Thank you for coming.
I hope you got a golden nugget out of this.
If not, I hope there was a joke you laughed at.
Thank you.
